Fortinet Document Library

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

Download PDF
Copy Link

Deployment scenario

Working configuration for PC and phone for 802.1x authentication using MAC

Summary

  1. Configure all devices.
    • PC
    • Phone
    • FortiSwitch
    • FortiAuthenticator
    • DHCP server
  2. Authenticate phone using MAB and using LLDP-MED.
  3. Authenticate PC using EAP 802.1x.

 

A. Configure all devices

I. Configure the PC, phone, FortiSwitch, FortiAuthenticator [RADIUS server], and DHCP server)

Phone configuration (file: macmode_phone_pc_ping_work)
      1. On the phone, enable the WAN port and leave the VLAN ID at the default to allow LLDP-Med (Policy) designate for voice VLAN assignment.
      2. On the phone, enable the LAN port and assign the VLAN ID for data matching the RADIUS VLAN assignment.
PC configuration
      1. Install the supplicant software.
      2. Launch the supplicant software, type the user name and password, and enable DHCP on the interface.
FortiSwitch configuration
  1. Configure the LLDP profile for voice.

     

    # show switch lldp

    config switch lldp profile

     

    edit "pexa" <<<<<<<<<<<<<<<<

    set 802.1-tlvs port-vlan-id

    config med-network-policy

    edit "voice"

    set status enable

    set vlan 21

    next

    edit "voice-signaling"

    set status enable

    set vlan 31

    next

    edit "guest-voice"

    next

    edit "quest-voice-signaling"

    next

    edit "softphone-voice"

    set status enable

    set vlan 41

    next

    edit "video-conferencing"

    next

    edit "streaming-video"

    next

    edit "video-signaling"

    next

    end

    set med-tlvs inventory-management network-policy

     

  2. Apply the LLDL profile on a dot1x port.

     

    # show switch physical-port port4

    config switch physical-port

     

    edit "pexa" <<<<<<<<<<<<<<<<

    set lldp-profile "pexa"

    set speed auto

    next

    end

     

  3. Configure a user group.

     

    # show user group

    config user group

     

    edit "Corp_Grp_10"

    set member "FAC_LAB"

    next

    end

     

  4. Configure the RADIUS server.

    # show user radius

    config user radius

     

    edit "FAC_LAB" <<<<<<<<

    set secret

     

    ENCW82jBg06XhKD/4Dugqm8QF2f7D1B4bfFdDSZaLUQPwZXv4F8zMc5sWHRl9suwmbmzNnAnyqPaarAYcSLuT8kVjFSRO0znx+TXVWTqdSeLCpbMv +HYFNOHMbYlfES8wTYYD40InCgrYr2johvr2vfa5KG4g8XMwKSIM0LurR//1WqT0fH

    set server

    next

    end

     

  5. Configure port security on the dot1x port.

     

    1. Configure mac-mode port-security.
    2. Add voice VLAN on allowed list (for example, 21).
    3. Apply the security group.

     

    Interface port4 configuration:

     

    # show switch interface port4

    config switch interface

     

    edit "port4"

    set allowed-vlans 20-21,31,41

    set security-groups "Corp_Grp_10"

    set snmp-index 4

    configure port-security

    set auth-fail-vlan disable

    set guest-auth-delay 120

    set guest-vlan disable

    set mac-auth-bypass enable

    set port-security-mode 802.1X-mac-based

    set radius-timeout-overwrite disable

    set auth-fail-vlanid 40

    set guest-vlanid 30

    end

RADIUS configuration

MAB Authentication:

  • Add phone MAC address to MAB list.

802.1X Authentication

  1. Create a local user.
  2. Create a user group with "Attributes" and enable PEAP and MSChapv2.
DHCP configuration
  1. On the DHCP server, configure a pool for phone and a pool for the PC.

    !

    ip dhcp pool PC

    network 10.1.1.0 255.255.255.0

    default-router 10.1.1.1

    dns-server 10.1.1.1

    !

    ip dhcp pool PC

    network 20.1.1.0 255.255.255.0

    default-router 20.1.1.1

    dns-server 20.1.1.5

     

  2. Configure exclude lists for pools for both gateway and DNS.

    ip dhcp excluded-address 20.1.1.1 20.1.1.1.5

    <<<<gateway and dns server

    ip dhcp excluded-address 10.1.1.1 10.1.1.1.5

    <<<<gateway and dns server

    !

    ip dhcp pool PC

    network 20.1.1.0 255.255.255.0

    default-router 20.1.1.1

    dns-server 20.1.1.5

     

  3. Configure the switch port VLAN interface as a gateway for the phone.

     

    # show run

    Building configuration

     

    Current configuration

    !

    interface vlan21 <<<<<<

    ip address 20.1.1.1

    end

     

  4. Configure the switch port VLAN interface as a gateway for the PC.

     

    # show run

    Building configuration

     

    Current configuration

    !

    interface vlan10 <<<<<<

    ip address 10.1.1.1

    end

     

    #

     

  5. Configure the l2 port and associate the voice VLAN.

     

    # show run

    Building configuration

     

    Current configuration

    !

    interface GigabitEthernet g1/0/1 <<<<<<

    switchport access vlan 21

    switchport trunk encapsulation dot1q

    switchport trunk all

    switchport mode trunk

    end

     

  6. Configure the l2 port and associate the data VLAN.

     

    # show run

    Building configuration

     

    Current configuration

    !

    interface GigabitEthernet g1/0/2 <<<<<<

    switchport access vlan 10

    switchport trunk encapsulation dot1q

    switchport trunk all

    switchport mode trunk

    end

     

II. Connect a link between the FortiSwitch unit and the DHCP server and assign matching VLAN for the phone for both ports

III. Connect a link between the FortiSwitch unit and the DHCP server and assign a matching VLAN for the PC for both ports

B. Authenticate phone using MAB

  1. Connect the phone to the switch to authenticate with RADIUS through the MAB (mac-bypass).
  2. Once authenticated:
    1. On the FortiSwitch unit, verify that the port is authorized and that the voice VLAN is on the allowed list.

      # diagnose switch 8 status

      Signal 10 received - config reload scheduled

       

      wrdapd_hostapd_dump_state_console Hostapd own address 90:6c:ac:18:6f:2f

      dump_diag:1:

      receive dump diagnostic 802_1x/MAB sessions. ifname :port4: dump_diag:1:

       

      port4 : Mode: mac-based (mac-by-pass enable)

      Link: Link up

      Port State: authorized ( ) <<<<<<

      Native Vlan : 1

      Allowed Vlan list: 1,10,20-21,31,41 <<<<<<

      Untagged Vlan list:

      Guest VLAN:

       

      Client MAC Type Vlan Dynamic-Vlan

      68:f7:28:fb:c0:0f 802.1x 1 10

      <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<phone

       

      Sessions info:

      68:f7:28:fb:c0:0f Type=802.1x,PEAP,state=AUTHENTICATED

      params:reAuth=3600

      00:a8:59:d8:f1:f6 Type=MAB,,state=AUTHENTICATED

      params: reAuth=3600

       

      edited on: 2016-11-29 17:25

       

      edited on: 2016-11-29 17:59

       

    2. On the FortiSwitch unit, verify that the lldp neighbor detail accurately reflects the phone and voice VLAN designation.

       

      Neighbor learned on port4 by LLDP protocol

      Last change 140 seconds ago

      Last packet received 13 seconds ago

       

      Chassis ID: 20.1.1.10 (ip) <<<<<<<<<<

      System Name: FON-670i

      System Description

      V12.740.335.12.B

       

      Time To Live: 60 seconds

      System Capabilities: BT

      Enabled Capabilities: BT

      MED type: Communication Device Endpoint (Class III)

      MED Capabilities: CP

      Management IP Address: 20.1.1.10

       

      Port ID: 00:a8:59:d8:f1:f6 (mac) <<<<<<<<<<<<<<<

      Port description: WAN Port 10M/100M/1000M

      IEEE802.3, Power via MDI:

      Power devicetype: PD

      PSE MDI Power: Not Supported

      PSE MDI Power Enabled: No

      PSE Pair Selection: Can not be controlled

      PSE power pairs: Signal

      Power class: 1

      Power type: 802.3at off

      Power source: Unknown

      Power priority: Unknown

      Power requested: 0

      Power allocated: 0

      LLDP-MED, Network Policies:

      voice: VLAN: 21 (tagged), Priority: 0 DSCP: 0 <<<<<<<<<<<<

      voice-signaling: VLAN: 21 (tagged), Priority: 0 DSCP: 0

      streaming-video: VLAN: 21 (tagged), Priority: 0 DSCP: 0

       

      # Checking STA 00:a8:59:d8:f1:f6 inactivity:

      Station has been active

    3. On the phone, verify that the DHCP address is assigned.
    4. On the DHCP server, check binding and ping from gateway to verify that the phone is reachable.

       

      # show ip dhcp binding

      IP address Client-ID/ Lease expiration Type

      Hardware address

      20.1.1.10 00a8.59d8.f1f6 Mar 20 1993 01:52 AM Automatic

      #

      #

      #

      # show ip dhcp binding

      IP address Client-ID/ Lease expiration Type

      Hardware address

      10.1.1.7 0168.f728.fbc0.0f Mar 11 1993 01:54 AM Automatic <<<<<< pc

      20.1.1.10 00a8.59d8.f1f6 Mar 20 1993 01:52 AM Automatic <<<<< phone

      # ping 10.1.1.7

       

      Type escape sequence to abort.

      Sending 5, 100-byte ICMP Echos to 10.1.1.7, timeout is 2

      !!!!!

      seconds:

      !!!!!

      Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms

      # ping 10.1.1.7

       

      Type escape sequence to abort.

      Sending 5, 100-byte ICMP Echos to 10.1.1.7, timeout is 2 seconds:

      !!!!!

      Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms

      # ping 10.1.1.7

       

      Type escape sequence to abort.

      Sending 5, 100-byte ICMP Echos to 10.1.1.7, timeout is 2 seconds:

      !!!!!

      Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms

      # ping 20.1.1.10

       

      Type escape sequence to abort.

      Sending 5, 100-byte ICMP Echos to 20.1.1.10, timeout is 2 seconds:

      !!!!!

      Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms

      #

C. Authenticate the PC using EAP dot1x

  1. Connect the PC to the phone for EAP authentication and VLAN assignment (for data)
  2. After authentication:
    1. On the FortiSwitch unit, verify that the port is authorized and that the data VLAN assigned to dynamic has been placed on the allowed list.

       

      # diagnose switch 8 status

      Signal 10 received - config reload scheduled

       

      wrdapd_hostapd_dump_state_console Hostapd own address 90:6c:ac:18:6f:2f

      dump_diag:1:

      receive dump diagnostic 802_1x/MAB sessions. ifname :port4: dump_diag:1:

       

      port4 : Mode: mac-based (mac-by-pass enable)

      Link: Link up

      Port State: authorized ( ) <<<<<<

      Native Vlan : 1

      Allowed Vlan list: 1,10,20-21,31,41

      <<<<<<

      Untagged Vlan list:

      Guest VLAN:

       

      Client MAC Type Vlan Dynamic-Vlan

      68:f7:28:fb:c0:0f 802.1x 1 10

      <<<<<<<<<<<<<<<<<<<<< PC

      00:a8:59:d8:f1:f6 MAB 1 0

       

      Sessions info:

      68:f7:28:fb:c0:0f Type=802.1x,PEAP,state=AUTHENTICATED

      params:reAuth=3600

      00:a8:59:d8:f1:f6 Type=MAB,,state=AUTHENTICATED

       

      params:reAuth=3600

       

      edited on: 2016-11-29 17:25

       

      edited on: 2016-11-29 17:59

       

       

    2. On the PC, verify that the DHCP address is assigned.
    3. From the DHCP server, check the binding and a ping from gateway to verify that the PC is reachable.

Deployment scenario

Working configuration for PC and phone for 802.1x authentication using MAC

Summary

  1. Configure all devices.
    • PC
    • Phone
    • FortiSwitch
    • FortiAuthenticator
    • DHCP server
  2. Authenticate phone using MAB and using LLDP-MED.
  3. Authenticate PC using EAP 802.1x.

 

A. Configure all devices

I. Configure the PC, phone, FortiSwitch, FortiAuthenticator [RADIUS server], and DHCP server)

Phone configuration (file: macmode_phone_pc_ping_work)
      1. On the phone, enable the WAN port and leave the VLAN ID at the default to allow LLDP-Med (Policy) designate for voice VLAN assignment.
      2. On the phone, enable the LAN port and assign the VLAN ID for data matching the RADIUS VLAN assignment.
PC configuration
      1. Install the supplicant software.
      2. Launch the supplicant software, type the user name and password, and enable DHCP on the interface.
FortiSwitch configuration
  1. Configure the LLDP profile for voice.

     

    # show switch lldp

    config switch lldp profile

     

    edit "pexa" <<<<<<<<<<<<<<<<

    set 802.1-tlvs port-vlan-id

    config med-network-policy

    edit "voice"

    set status enable

    set vlan 21

    next

    edit "voice-signaling"

    set status enable

    set vlan 31

    next

    edit "guest-voice"

    next

    edit "quest-voice-signaling"

    next

    edit "softphone-voice"

    set status enable

    set vlan 41

    next

    edit "video-conferencing"

    next

    edit "streaming-video"

    next

    edit "video-signaling"

    next

    end

    set med-tlvs inventory-management network-policy

     

  2. Apply the LLDL profile on a dot1x port.

     

    # show switch physical-port port4

    config switch physical-port

     

    edit "pexa" <<<<<<<<<<<<<<<<

    set lldp-profile "pexa"

    set speed auto

    next

    end

     

  3. Configure a user group.

     

    # show user group

    config user group

     

    edit "Corp_Grp_10"

    set member "FAC_LAB"

    next

    end

     

  4. Configure the RADIUS server.

    # show user radius

    config user radius

     

    edit "FAC_LAB" <<<<<<<<

    set secret

     

    ENCW82jBg06XhKD/4Dugqm8QF2f7D1B4bfFdDSZaLUQPwZXv4F8zMc5sWHRl9suwmbmzNnAnyqPaarAYcSLuT8kVjFSRO0znx+TXVWTqdSeLCpbMv +HYFNOHMbYlfES8wTYYD40InCgrYr2johvr2vfa5KG4g8XMwKSIM0LurR//1WqT0fH

    set server

    next

    end

     

  5. Configure port security on the dot1x port.

     

    1. Configure mac-mode port-security.
    2. Add voice VLAN on allowed list (for example, 21).
    3. Apply the security group.

     

    Interface port4 configuration:

     

    # show switch interface port4

    config switch interface

     

    edit "port4"

    set allowed-vlans 20-21,31,41

    set security-groups "Corp_Grp_10"

    set snmp-index 4

    configure port-security

    set auth-fail-vlan disable

    set guest-auth-delay 120

    set guest-vlan disable

    set mac-auth-bypass enable

    set port-security-mode 802.1X-mac-based

    set radius-timeout-overwrite disable

    set auth-fail-vlanid 40

    set guest-vlanid 30

    end

RADIUS configuration

MAB Authentication:

  • Add phone MAC address to MAB list.

802.1X Authentication

  1. Create a local user.
  2. Create a user group with "Attributes" and enable PEAP and MSChapv2.
DHCP configuration
  1. On the DHCP server, configure a pool for phone and a pool for the PC.

    !

    ip dhcp pool PC

    network 10.1.1.0 255.255.255.0

    default-router 10.1.1.1

    dns-server 10.1.1.1

    !

    ip dhcp pool PC

    network 20.1.1.0 255.255.255.0

    default-router 20.1.1.1

    dns-server 20.1.1.5

     

  2. Configure exclude lists for pools for both gateway and DNS.

    ip dhcp excluded-address 20.1.1.1 20.1.1.1.5

    <<<<gateway and dns server

    ip dhcp excluded-address 10.1.1.1 10.1.1.1.5

    <<<<gateway and dns server

    !

    ip dhcp pool PC

    network 20.1.1.0 255.255.255.0

    default-router 20.1.1.1

    dns-server 20.1.1.5

     

  3. Configure the switch port VLAN interface as a gateway for the phone.

     

    # show run

    Building configuration

     

    Current configuration

    !

    interface vlan21 <<<<<<

    ip address 20.1.1.1

    end

     

  4. Configure the switch port VLAN interface as a gateway for the PC.

     

    # show run

    Building configuration

     

    Current configuration

    !

    interface vlan10 <<<<<<

    ip address 10.1.1.1

    end

     

    #

     

  5. Configure the l2 port and associate the voice VLAN.

     

    # show run

    Building configuration

     

    Current configuration

    !

    interface GigabitEthernet g1/0/1 <<<<<<

    switchport access vlan 21

    switchport trunk encapsulation dot1q

    switchport trunk all

    switchport mode trunk

    end

     

  6. Configure the l2 port and associate the data VLAN.

     

    # show run

    Building configuration

     

    Current configuration

    !

    interface GigabitEthernet g1/0/2 <<<<<<

    switchport access vlan 10

    switchport trunk encapsulation dot1q

    switchport trunk all

    switchport mode trunk

    end

     

II. Connect a link between the FortiSwitch unit and the DHCP server and assign matching VLAN for the phone for both ports

III. Connect a link between the FortiSwitch unit and the DHCP server and assign a matching VLAN for the PC for both ports

B. Authenticate phone using MAB

  1. Connect the phone to the switch to authenticate with RADIUS through the MAB (mac-bypass).
  2. Once authenticated:
    1. On the FortiSwitch unit, verify that the port is authorized and that the voice VLAN is on the allowed list.

      # diagnose switch 8 status

      Signal 10 received - config reload scheduled

       

      wrdapd_hostapd_dump_state_console Hostapd own address 90:6c:ac:18:6f:2f

      dump_diag:1:

      receive dump diagnostic 802_1x/MAB sessions. ifname :port4: dump_diag:1:

       

      port4 : Mode: mac-based (mac-by-pass enable)

      Link: Link up

      Port State: authorized ( ) <<<<<<

      Native Vlan : 1

      Allowed Vlan list: 1,10,20-21,31,41 <<<<<<

      Untagged Vlan list:

      Guest VLAN:

       

      Client MAC Type Vlan Dynamic-Vlan

      68:f7:28:fb:c0:0f 802.1x 1 10

      <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<phone

       

      Sessions info:

      68:f7:28:fb:c0:0f Type=802.1x,PEAP,state=AUTHENTICATED

      params:reAuth=3600

      00:a8:59:d8:f1:f6 Type=MAB,,state=AUTHENTICATED

      params: reAuth=3600

       

      edited on: 2016-11-29 17:25

       

      edited on: 2016-11-29 17:59

       

    2. On the FortiSwitch unit, verify that the lldp neighbor detail accurately reflects the phone and voice VLAN designation.

       

      Neighbor learned on port4 by LLDP protocol

      Last change 140 seconds ago

      Last packet received 13 seconds ago

       

      Chassis ID: 20.1.1.10 (ip) <<<<<<<<<<

      System Name: FON-670i

      System Description

      V12.740.335.12.B

       

      Time To Live: 60 seconds

      System Capabilities: BT

      Enabled Capabilities: BT

      MED type: Communication Device Endpoint (Class III)

      MED Capabilities: CP

      Management IP Address: 20.1.1.10

       

      Port ID: 00:a8:59:d8:f1:f6 (mac) <<<<<<<<<<<<<<<

      Port description: WAN Port 10M/100M/1000M

      IEEE802.3, Power via MDI:

      Power devicetype: PD

      PSE MDI Power: Not Supported

      PSE MDI Power Enabled: No

      PSE Pair Selection: Can not be controlled

      PSE power pairs: Signal

      Power class: 1

      Power type: 802.3at off

      Power source: Unknown

      Power priority: Unknown

      Power requested: 0

      Power allocated: 0

      LLDP-MED, Network Policies:

      voice: VLAN: 21 (tagged), Priority: 0 DSCP: 0 <<<<<<<<<<<<

      voice-signaling: VLAN: 21 (tagged), Priority: 0 DSCP: 0

      streaming-video: VLAN: 21 (tagged), Priority: 0 DSCP: 0

       

      # Checking STA 00:a8:59:d8:f1:f6 inactivity:

      Station has been active

    3. On the phone, verify that the DHCP address is assigned.
    4. On the DHCP server, check binding and ping from gateway to verify that the phone is reachable.

       

      # show ip dhcp binding

      IP address Client-ID/ Lease expiration Type

      Hardware address

      20.1.1.10 00a8.59d8.f1f6 Mar 20 1993 01:52 AM Automatic

      #

      #

      #

      # show ip dhcp binding

      IP address Client-ID/ Lease expiration Type

      Hardware address

      10.1.1.7 0168.f728.fbc0.0f Mar 11 1993 01:54 AM Automatic <<<<<< pc

      20.1.1.10 00a8.59d8.f1f6 Mar 20 1993 01:52 AM Automatic <<<<< phone

      # ping 10.1.1.7

       

      Type escape sequence to abort.

      Sending 5, 100-byte ICMP Echos to 10.1.1.7, timeout is 2

      !!!!!

      seconds:

      !!!!!

      Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms

      # ping 10.1.1.7

       

      Type escape sequence to abort.

      Sending 5, 100-byte ICMP Echos to 10.1.1.7, timeout is 2 seconds:

      !!!!!

      Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms

      # ping 10.1.1.7

       

      Type escape sequence to abort.

      Sending 5, 100-byte ICMP Echos to 10.1.1.7, timeout is 2 seconds:

      !!!!!

      Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms

      # ping 20.1.1.10

       

      Type escape sequence to abort.

      Sending 5, 100-byte ICMP Echos to 20.1.1.10, timeout is 2 seconds:

      !!!!!

      Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms

      #

C. Authenticate the PC using EAP dot1x

  1. Connect the PC to the phone for EAP authentication and VLAN assignment (for data)
  2. After authentication:
    1. On the FortiSwitch unit, verify that the port is authorized and that the data VLAN assigned to dynamic has been placed on the allowed list.

       

      # diagnose switch 8 status

      Signal 10 received - config reload scheduled

       

      wrdapd_hostapd_dump_state_console Hostapd own address 90:6c:ac:18:6f:2f

      dump_diag:1:

      receive dump diagnostic 802_1x/MAB sessions. ifname :port4: dump_diag:1:

       

      port4 : Mode: mac-based (mac-by-pass enable)

      Link: Link up

      Port State: authorized ( ) <<<<<<

      Native Vlan : 1

      Allowed Vlan list: 1,10,20-21,31,41

      <<<<<<

      Untagged Vlan list:

      Guest VLAN:

       

      Client MAC Type Vlan Dynamic-Vlan

      68:f7:28:fb:c0:0f 802.1x 1 10

      <<<<<<<<<<<<<<<<<<<<< PC

      00:a8:59:d8:f1:f6 MAB 1 0

       

      Sessions info:

      68:f7:28:fb:c0:0f Type=802.1x,PEAP,state=AUTHENTICATED

      params:reAuth=3600

      00:a8:59:d8:f1:f6 Type=MAB,,state=AUTHENTICATED

       

      params:reAuth=3600

       

      edited on: 2016-11-29 17:25

       

      edited on: 2016-11-29 17:59

       

       

    2. On the PC, verify that the DHCP address is assigned.
    3. From the DHCP server, check the binding and a ping from gateway to verify that the PC is reachable.